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Detailed Action 

1 This action is responsive to communication: amendment filed on 26 April 2004, 
the original application was filed on 31 July 2000. 

2. Claims 1-26 are currently pending in this application. Claims 1, 12, and 22 are 
independent claims. 

Claim Rejections - 35 USC § 102 

3. The following is a quotation of the appropriate paragraphs of 35 
U.S.C. 102 that form the basis for the rejections under this section made in this 

Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1 ) an application for patent, published under section 
122ftrt ^rwfterfiled in the United States before the invention by the applicant for patent or 
(2) a pa?enr g ?anSd on an application for patent by another filed in the United States before 
hltn P ventl 9 by he applicant for patent, except that an international appllrtion filed under 
the Jelty defined in section 351 (a) shall have the effects for purposes <J^£ffi!J" n 
application filed in the United States only if the international ?PP^. d h ^2J he Umted 
States and was published under Article 21 (2) of such treaty in the English language 

4. Claims 1-5, 7, 9, and 11-17 are rejected under 35 U.S.C. 102(e) as being 
anticipated by Alonso et al. U.S. Patent No. 6,434,700 (hereinafter 700). 

As to independent claim 1, "A computer network comprising a 
plurality of interconnected network devices including: (a) a plurality of 
client computers; (b) an authentication server computer operated by a 
system administrator; and (c) a disk drive connected to the authentication 
server computer, the disk drive comprising: an interface for receiving 
personal authentication data and user access data from the system 
administrator; a disk for storing data; a disk controller for controlling 
access to the disk; an authenticator, responsive to the personal 
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. rf 9 «a for enabling me ui= 
authentication data, i<" 

line 64 - col. 6, line 29; data recei ved V 

circuitry for encrypting the u»« 
-cryptographic circuitry , rf data stored on the disk" is 

5y ,tem administrator into encrypted data sto 



from the s 



sh0 wn in 700 col. 2. lines 6-7 and co.. 6, lines - • ^ 

plu ra,ityof user identifiers and corresponding acc J 
o, network devices" is disclosed in 700 co, 6, -ines 16-2, 

As to dependent Cairn 3. "The computer network as recited 

As t0 dependent Cairn 4, "The computer network 
3, wherein the user authentication data comprises a user password 

taught in 700 col. 1, Bnes 6-10. 

^o dependent Cairn 5, this claim contains texts that contam 

^^^^^^^ 

wlth the network device, and (b, the device access data for use 
to the network devices" istauohtin 700 col.6line62-co,.7l,ne7. 
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As to dependent claim 9, "The computer network as recited in claim 
7, wherein: (a) the interface receives unencrypted device access data; and 
(b) the cryptographic circuitry encrypts the unencrypted device access 
data into the encrypted device access data stored on the disk" is disclosed 
in 700 col. 9, lines 1-9. 

As to dependent claim 11, "The computer network as recited in claim 
7, wherein the encrypted device access data is transmitted from the 
network devices to the disk drive" is taught in 700 col. 9, lines 9-19. 

As to independent claim 12, "A computer network comprising a 
plurality of interconnected network devices including: (a) a plurality of 
client computers; (b) an authentication server computer; and (c) a disk 
drive connected to the authentication server computer, the disk drive 
comprising: an interface for receiving from a client computer a user ID and 
a user access request to access a network device, and for transmitting 
device access data to the client computer" and "wherein the disk controller 
uses the decrypted data to generate the device access data transmitted to 
the client computer" is taught in 700 col. 5, line 64 - col. 6, line 29; 

"a disk for storing encrypted data, a disk controller, responsive to 
the user ID and user access request, for controlling access to the disk; and 

cryptographic circuitry for decrypting the encrypted data stored on 
the disk to generate decrypted data" is shown in 700 col. 2, lines 6-7 and col. 
6, lines 16-19. 
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As to dependent claim 13, "The computer network as recited in claim 

12, wherein: (a) the encrypted data comprises encrypted user 
authentication data corresponding to the user ID; and (b) the 
cryptographic circuitry decrypts the encrypted user authentication data to 
generate decrypted user authentication data" is shown in 700 col. 2, lines 6- 
7 and col. 6, lines 16-19. 

As to dependent claim 14, "The computer network as recited in claim 

13, wherein the decrypted user authentication data comprises a user 
password" is taught in 700 col. 1, lines 6-10. 

As to dependent claim 15, The computer network as recited in claim 

12, wherein the cryptographic circuitry encrypts the device access data before 
transmission to the client computer" is shown in 700 col. 9, lines 9-19. 

As to dependent claim 16, "The computer network as recited in claim 

13, wherein:(a) the cryptographic circuitry encrypts the device access data 
before transmission to the client computer; and (b) the cryptographic circuitry 
encrypts the device access data using a cryptographic user key extracted 
from the decrypted user authentication data" is taught in 700 col. 5, line 64 - 
col. 6, line 29. 

As to dependent claim 17, "The computer network as recited in claim 
16, wherein the cryptographic user key is generated by the cryptographic 
circuitry using the decrypted user authentication data" is shown in 700 col. 
2, lines 6-7. 
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Claim Rejections - 35 USC § 103 

5. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for 

all obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically 
disclosed or described as set forth in section 102 of this title, if the differences 
between the subject matter sought to be patented and the prior art are such that 
the subject matter as a whole would have been obvious at the time the invention 
was made to a person having ordinary skill in the art to which said subject matter 
pertains. Patentability shall not be negatived by the manner in which the 
invention was made. 

6. Claims 6, 8, 10, and 18-21 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over 700 as applied to claims 1 and 12 in further view of DeTreville 
U.S. Patent No. 6,609,199 (hereinafter '199). 

As to dependent claim 6, the following in not taught in 700: "The 
computer network as recited in claim 1, wherein: (a) the cryptographic 
circuitry comprises an immutable secret drive key configured during 
manufacture of the disk drive; and (b) the secret drive key for use in 
encrypting the user access data" however '199 teaches "Computers 102 and 
1 04 include access ports 112 and 1 14, respectively. Access ports 112 and 1 14 
allow a portable integrated circuit (IC) device, such as device 1 16, to be 
communicably coupled to computers 102 and 104 (e.g., device 116 may be 
inserted into ports 112 and 1 14). This coupling can be accomplished in any of a 
variety of conventional manners" and "The CPU manufacturer equips the CPU 
134 with a pair of public and private keys 150 that is unique to the CPU. For 
discussion purposes, the CPU's public key is referred to as "K.sub.CPU " and 
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the corresponding private key is referred to as "K.sub.CPU.sup.-1 ". Other 
physical implementations may include storing the key on an external device to 
which the main CPU has privileged access (where the stored secrets are 
inaccessible to arbitrary application or operating system code)" in col. 4 lines 7-9 
and col. 5 lines 54-60. 

It would have been obvious to one of ordinary skill in the art at the time 
of the invention to modify an authorization access server taught in 700 to include 
a secret device key. One of ordinary skill in the art would have been motivated to 
perform such a modification because secret device key put in place by a 
manufacturer is well known in the art to maintain security see '199 (col. 2, lines 
27 et seq.) "The invention addresses these disadvantages, providing an 
improved way to maintain the security of private information on a portable IC 
device". 

As to dependent claim 8, "The computer network as recited in claim 
7, wherein the encrypted device access data comprises an encrypted 
secret device key shared with a corresponding network device" is taught in 
'199 col. 5 lines 54-60 "The CPU manufacturer equips the CPU 134 with a pair of 
public and private keys 150 that is unique to the CPU. For discussion purposes, 
the CPU's public key is referred to as "K.sub.CPU.sup-1". Other physical 
implementations may include storing the key on an external device to which the 
main CPU has privileged access (where the stored secrets are inaccessible to 
arbitrary application or operating system code)" 
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As to dependent claim 10, "The computer network as recited in claim 
7, wherein the encrypted device access data is stored on the disk during 
manufacture of the disk drive" is taught in '199 col. 5 lines 54-60 "The CPU 
manufacturer equips the CPU 134 with a pair of public and private keys 150 that 
is unique to the CPU. For discussion purposes, the CPU's public key is referred 
to as M K.sub.CPU.sup-1". Other physical implementations may include storing 
the key on an external device to which the main CPU has privileged access 
(where the stored secrets are inaccessible to arbitrary application or operating 
system code)". 

As to dependent claim 18, "The computer network as recited in claim 
16, wherein the cryptographic user key is a public key for use in a public 
key encryption algorithm" is shown in '199 col. 5 lines 54-60 "The CPU 
manufacturer equips the CPU 134 with a pair of public and private keys 150 that 
is unique to the CPU". 

As to dependent claim 19, "The computer network as recited in claim 
12, wherein: (a) the cryptographic circuitry encrypts the device access data 
using a secret device key shared with the network device; and (b) the secret 
device key is used by the network device to authenticate device access 
requests received from client computers" is shown in '199 col. 5 lines 54-60 
"The CPU manufacturer equips the CPU 134 with a pair of public and private 
keys 150 that is unique to the CPU". 

As to dependent claim 20, "The computer network as recited in claim 
19, wherein the secret device key shared with the network device is stored 
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in encrypted form on the disk and decrypted by the cryptography circuitry. 

is shown in 700 col. 2, lines 6-7 and col. 6, lines 16-19 "Generally, a Fortezza 
security system includes a Fortezza Crypto card that stores unique encrypted 
information, and which executes encryption algorithms to produce a scrambled 
one-time password ("OTP"). The card is a self-contained hardware system" and 
"The ACS integrates and supports various authentication and authorization 
technologies, including token cards, and Fortezza security systems". 

As to dependent claim 21, "The computer network as recited in claim 
12, wherein: (c) the cryptographic circuitry comprises an immutable secret 
drive key configured during manufacture of the disk drive; and (d) the secret 
drive key for use in decrypting the encrypted data stored on the disk" is 
shown in '199 col. 5 lines 54-60 "The CPU manufacturer equips the CPU 134 
with a pair of public and private keys 1 50 that is unique to the CPU. For 
discussion purposes, the CPU's public key is referred to as "K.sub.CPU " and the 
corresponding private key is referred to as 

"K.sub.CPU.sup.-1". Other physical implementations may include storing the key 
on an external device to which the main CPU has privileged access (where the 
stored secrets are inaccessible" to arbitrary application or operating system 
code)". 

7. Claims 22-26 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over 700 in further view of '199. 

As to independent claim 22, "A computer network comprising a 
plurality of interconnected network devices including: (a) a plurality of 
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client computers; (b) an authentication server; and (c) a disk drive 
comprising: an interface for receiving an encrypted device access request 
and for inputting/outputting user data from/to a client computer; a disk for 
storing data; a disk controller for controlling access to the disk; an internal 
drive key;" and "an authenticator, responsive to the decrypted secret 
device key, for authenticating the device access request " is taught in 700 
col. 5, line 64 - col. 6, line 29 "the network access server sends the user access 
information to a centralized server, such as an Access Control Server ("ACS"). 
The ACS provides a central point of control for the management of multiple 
security services, and network devices" the following is not taught in 700: 

"a secret device key shared with the authentication server, the secret 
device key stored in encrypted form; cryptographic circuitry, responsive 
to the internal drive key, for decrypting the encrypted secret device key to 
generate a decrypted secret device key" however '199 teaches "Computers 
102 and 104 include access ports 112 and 1 14, respectively. Access ports 112 
and 114 allow a portable integrated circuit (IC) device, such as device 1 16, to be 
communicably coupled to computers 102 and 104 (e.g., device 116 may be 
inserted into ports 112 and 114). This coupling can be accomplished in any of a 
variety of conventional manners" and "The CPU manufacturer equips the CPU 
134 with a pair of public and private keys 150 that is unique to the CPU. For 
discussion purposes, the CPU's public key is referred to as "K.sub.CPU " and 
the corresponding private key is referred to as "K.sub.CPU.sup.-1 ". Other 
physical implementations may include storing the key on an external device to 
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which the main CPU has privileged access (where the stored secrets are 
inaccessible to arbitrary application or operating system code)" in col. 4 lines 7-9 
and col. 5 lines 54-60. 

It would have been obvious to one of ordinary skill in the art at the time 
of the invention to modify an authorization access server taught in 700 to include 
a secret device key. One of ordinary skill in the art would have been motivated to 
perform such a modification because secret device key put in place by a 
manufacturer is well known in the art to maintain security see '199 (col. 2, lines 
27 et seq.) "The invention addresses these disadvantages, providing an 
improved way to maintain the security of private information on a portable IC 
device". 

As to dependent claim 23, "The computer network as recited in claim 
22, wherein the encrypted secret device key stored on the disk" is taught in 
'199 col. 5 lines 54-60 "The CPU manufacturer equips the CPU 134 with a pair of 
public and private keys 150 that is unique to the CPU. For discussion purposes, 
the CPU's public key is referred to as "K.sub.CPU " and the corresponding 
private key is referred to as "K.sub.CPU.sup.-1 ". Other physical 
implementations may include storing the key on an external device to which the 
main CPU has privileged access (where the stored secrets are inaccessible to 
arbitrary application or operating system code)" 

As to dependent claim 24, "The computer network as recited in claim 
22, wherein the encrypted secret device key is configured during 
manufacture of the disk drive" is shown in '199 col. 5 lines 54-60 "The CPU 
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manufacturer equips the CPU 134 with a pair of public and private keys 150 that 
is unique to the CPU. 

As to dependent claim 25, "The computer network as recited in claim 
22, wherein the disk drive transmits the encrypted secret device key to the 
authentication server" is taught in 700 col. 9, lines 9-19 "the network access 
server 104 receives user access information from client 102. In system 200, the 
communications function of accessing the network, and the structure that 
supports this function, are separated from the security functions". 

As to dependent claim 26, "The computer network as recited in claim 
22, wherein the internal drive key comprises tamper-resistant circuitry" is 
taught in '199 col. 6, lines 62-64 "Alternatively, the CPU 134 can store the boot 
log 158 in volatile memory 138 in a cryptographic tamper-resistant container". 
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Response to Arguments 



8. Applicant's arguments filed 26 April 2004 have been fully considered but they are 
not persuasive. 

In response to applicant's argument starting on page 2, "Alonso does not disclose 
or suggest to implement network authentication facilities within a disk drive . . . The 
invention overcomes this drawback by implementing the network authentication facilities 
within a disk drive". The office disagrees, claim 1 indicates the following "A computer 
network comprising a plurality of interconnected network devices including: (a) a 
plurality of client computers; (b) an authentication server computer operated by a system 
administrator; and (c) a disk drive connected to the authentication server computer, ..." 
The network authentication facilities are not within the disk drive but rather the disk drive 
provides a means for inputs and output into the network authentication server. The 
means to communicate with the network authentication server is shown in the rejection 
above. 

Further applicant's argument on page 2, "The invention overcomes this drawback 
by implementing the network authentication facilities within a disk drive". The office 
disagrees with the applicants assertion that the Fortezza card does not authenticate. 
Alonso teaches the use of a Fortezza Crypto card within a computer network. In col. 2, 
lines 6-13, Alonso explains, "the Fortezza security system includes a Fortezza Crypto 
card that stores unique encrypted information, and which executes encryption algorithms 
to produce a scrambled one-time password ("OTP"). The card is a self-contained 
hardware system, having its own CPU and memory, and which stores and authenticates 
Fortezza OTPs". The card itself authenticates the user and controlling access to the disk. 
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In response to applicant's argument on page 3, "Regarding claims 2, 3, 4, 5, 7, 9, 
and 1 1 , the examiner relies on the teaching by Alonso to use an access control server 
(ACS) to implement the network authentication facilities recited in the claim" As show 
above Alonso teaches everything in the independent claims and the rejection remains. 

In response to applicant's argument on page 3, "Claim 12 recites a computer 
network comprising a plurality of interconnected network devices . . . Alonso does not 
disclose or suggest these limitations". The office disagrees, the limitations of claim 12 
were shown in Alonso the Fortezza card authenticates the password, this is sent to the 
access control server which is passed to the network access server. In addition "unique 
encrypted information" is stored on the Fortezza card see Alonso col. 2, lines 6-7. 

In response to applicant's argument on page 4, "However, modifying Alonso in 
view of DeTreville would result in an authentication server implementing network 
authentication facilities using a secret device key and not a disk drive implementing 
authentication facilities using a secret device key". The office disagrees as explained 
above in Alonso col. 2, lines 6-13, the Fortezza card authenticates OTPs within itself. 
Therefore the rejection remains. 

Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a), A shortened statutory period for reply to this final 
action is set to expire THREE MONTHS from the mailing date of this action. In the 
event a first reply is filed within TWO MONTHS of the mailing date of this final action 
and the advisory action is not mailed until after the end of the THREE-MONTH 
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shortened statutory period, then the shortened statutory period will expire on the date the 
advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be 
calculated from the mailing date of the advisory action. In no event, however, will the 
statutory period for reply expire later than SIX MONTHS from the mailing date of this 
final action. 

9. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Ellen C Tran whose telephone number is (703) 305-8917. 
The examiner can normally be reached on 6:30 am to 3:30 pm Monday - Thursday and 
alternating Fridays. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gregory A Morse can be reached on (703) 308-4789. The fax phone 
number for the organization where this application or proceeding is assigned is 
(703) 872-9306. 

Any inquiry of a general nature or relating to the status of this application or 
proceeding should be directed to the receptionist whose telephone number is 
(703) 305-3900. 




NORMAlsUM. WRIGHT 
PRIMARY EXAMINER 



Ellen. Tran 
Patent Examiner 
Technology Center 2134 
2 July, 2004 



